j-gray 33 Posted October 1, 2021 Share Posted October 1, 2021 In ESMC, ESET Server Security logs a detection type 'Security vulnerability exploitation attempt' caused by EsetIpBlacklist. The detection type is labelled as 'Firewall'. As the Server Security policies don't have a specific 'Firewall' section or component, can anyone clarify what component exactly is responsible for this protection? My assumption is that it's the IDS component of Network Protection, but I'm not entirely sure. TIA Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted October 1, 2021 Administrators Share Posted October 1, 2021 Yes, it's Network protection that blocks addresses seen to generate malicious communication. Do you suspect a particular IP address to be blocked incorrectly? j-gray 1 Link to comment Share on other sites More sharing options...
j-gray 33 Posted October 1, 2021 Author Share Posted October 1, 2021 4 minutes ago, Marcos said: Yes, it's Network protection that blocks addresses seen to generate malicious communication. Do you suspect a particular IP address to be blocked incorrectly? Thanks for the reply. There's no visibility or information (other than blacklist) to help us determine why the IP is being blocked. All we know is that they are IP's that are external to our network. Is there any more detailed information logged somewhere? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,935 Posted October 1, 2021 Administrators Share Posted October 1, 2021 10 minutes ago, j-gray said: Is there any more detailed information logged somewhere? No. However, if you provide the IP address I could search for possible reasons. j-gray 1 Link to comment Share on other sites More sharing options...
j-gray 33 Posted October 1, 2021 Author Share Posted October 1, 2021 9 minutes ago, Marcos said: No. However, if you provide the IP address I could search for possible reasons. Thanks -I just sent the IPs via PM. Hope that's ok. Link to comment Share on other sites More sharing options...
j-gray 33 Posted October 4, 2021 Author Share Posted October 4, 2021 @Marcos The bulk of the hits are coming frequently and from one cloud hosting provider: 192.241.128.0/17 We have IDS and IPS in place at our edge, but they're not detecting this traffic. Is the ESET component simply a block list, or is there some other logic/analysis in place? Link to comment Share on other sites More sharing options...
Recommended Posts